As an adult leader within the Boy Scouts, I coined the term “malicious obedience” to describe how teenagers fulfill instructions. After years of working in both the medical and automotive product cybersecurity space, not much has changed.
How are these two similar?
In both cases that which is not unambiguously explicitly required doesn’t happen. The difference is that in the case of teenagers, they’re just engaging in boundary-testing, whereas in that case of safety-critical, cyber-physical systems, they’re being intentionally short-sighted.
It not like this is news to anyone. It’s so widespread that the very international committees responsible for establishing standards to which companies are held engage is a odd combination of only requiring what they know the companies which their members represent already do and making nearly everything optional.
At the end of the day, being able to assert that your company has thus and such standard certification carries as much weight as having passed a 15 minute awareness training video played at 3x speed with multiple choice questions so trivial as to bring into question the point of the training in the first place.
Even the fact that international standards are consensus documents is not well appreciated. Because of this, companies, and indeed entire national delegations, block anything they don’t like. The result of which is that the standards produced as virtually toothless. To make matters worse, realizing this major deficiency, standards of late has resorted to creating cascading interlocking standard-shards meant to address the deficiencies that should have delayed the standard’s release.
Exacerbating matters is the cottage industry supporting the check list-ification of standards, reducing them to meaningless binary decisions bereft of any nuance. These are snatched up by individuals and groups who have neither any product cybersecurity domain knowledge, nor have they read the standard itself in most cases. Instead there is a reliance on service-providing vendors to interpret standards for companies.
The end result of all of this performative nonsense is that the consumer of these products is face with companies making blankets statement that are both opaque and unsubstantiated. At best, there is a certificate from a well-known organization. At worst cybersecurity itself is hand-waved away as being unregulated. This situation is even called out within UNR155 which says that companies can’t use the excuse of not having seen a problem for not addressing the possibility of one.
So, what’s a customer to do?
Demand to see the receipts. Show me your process documentation. Show me your metrics. Show me that you won’t charge me to fix your bugs. Show me that cybersecurity extends throughout your supply chain. Show me that the people you’ve got working on cybersecurity are both qualified and trained. Show me your plan for when a supplier goes out of business. Show me that your cybersecurity requirements and design analysis are based on sound principles and not this week’s hottest threat vector.
As with all posts on this blog, these are my personal opinions and not that of my employer.
Volcano image By Alcinoe Calahorrano – U.S. Geological Survey, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1078943
Charles Wilson's Blog 
You must be logged in to post a comment.